Microsoft office documents are playing a vital role towards red team assessments as usually they are used to gain some initial foothold on the client’s internal network. Staying under the radar is a key element as well and this can only be achieved by abusing legitimate functionality of Windows or of a trusted application such as Microsoft office.

Historically Microsoft Word was used as an HTML editor. This means that it can support HTML elements such as framesets. It is therefore possible to link a Microsoft Word document with a UNC path and combing this with responder in order to capture NTLM hashes externally.

Word documents with the docx extension are actually a zip file which contains various XML documents. These XML files are controlling the theme, the fonts, the settings of the document and the web settings. Using 7-zip it is possible to open that archive in order to examine these files:

Docx Contents

The word folder contains a file which is called webSettings.xml. This file needs to be modified in order to include the frameset.

The _rels directory contains the associated relationships of the document in terms of fonts, styles, themes, settings etc. Planting the new file in that directory will finalize the relationship link which has been created previously via the frameset.

webSettings XML rels

Now that the Word document has been weaponized to connect to a UNC path over the Internet responder can be configured in order to capture the NTLM hashes.

responder -I wlan0 -e 192.168.1.169 -b -A -v

Responder Configuration

Once the target user open the word document it will try to connect to a UNC path.

Word – Connect to UNC Path via Frameset

Responder will retrieve the NTLMv2 hash of the user.

Responder – NTLMv2 Hash via Frameset

Alternatively Metasploit Framework can be used instead of Responder in order to capture the password hash.

auxiliary/server/capture/smb

Metasploit – SMB Capture Module

NTLMv2 hashes will be captured in Metasploit upon opening the document.

Metasploit SMB Capture Module – NTLMv2 Hash via Frameset

Conclusion

This technique can allow the red team to grab domain password hashes from users which can lead to internal network access if 2-factor authentication for VPN access is not enabled and there is a weak password policy. Additionally if the target user is an elevated account such as local administrator or domain admin then this method can be combined with SMB relay in order to obtain a Meterpreter session.